b'Audit\nReport\n  IMPLEMENTATION OF DOD PUBLIC KEY INFRASTRUCTURE\n              POLICY AND PROCEDURES\n\n\nReport No. D-2002-030                 December 28, 2001\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c         Additional Copies\n\n         To obtain additional copies of this audit report, visit the Inspector General, DoD,\n         Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n         Distribution Unit of the Audit Followup and Technical Support Directorate at\n         (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n         Suggestions for Future Audits\n\n         To suggest ideas for or to request future audits, contact the Audit Followup and\n         Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n         fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                           OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                            Inspector General, Department of Defense\n                               400 Army Navy Drive (Room 801)\n                                   Arlington, VA 22202-4704\n\n\n         Defense Hotline\n\n         To report fraud, waste, or abuse, contact the Defense Hotline by calling\n         (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n         by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n         The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                         Communications and Intelligence)\nCAC                   Common Access Card\nCCA                   Clinger-Cohen Act\nCIO                   Chief Information Officer\nDEERS                 Defense Enrollment Eligibility Registration System\nIA                    Information Assurance\nIT                    Information Technology\nPKE                   Public Key-Enabled\nPKI                   Public Key Infrastructure\nPMO                   Program Management Office\nRAPIDS                Real-time Automated Personnel Identification System\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2002-030                                           December 28, 2001\n   (Project No. D2001AS-0008)\n\n\n\n             Implementation of DoD Public Key Infrastructure\n                          Policy and Procedures\n\n                                Executive Summary\n\nIntroduction. Federal agencies, including DoD, are increasingly using the World\nWide Web and other Internet-based applications to provide on-line public access to\ninformation and services as well as to improve internal business operations. However,\nthe potential for improvements in service delivery and productivity due to electronic\nand Internet-based applications come with many of the security risks faced by existing\nsystems as well as new risks. To achieve information superiority in a highly\ninterconnected, shared-risk environment, DoD Information Assurance capabilities must\naddress the pervasiveness of information as a vital aspect of warfighting and business\noperations. The Defense-in-Depth strategy is the technical strategy that underlies DoD\ninformation assurance in which layers of defense are used to achieve security\nobjectives. One element of the Defense-in-Depth strategy is the use of a common,\nintegrated, interoperable DoD Public Key Infrastructure to enable security services at\nmultiple levels of assurance. As of October 2000, the funding allocation for the DoD\nPublic Key Infrastructure for FYs 2001 through 2005 was about $712 million.\n\nObjectives. The overall objective was to evaluate the implementation and management\nof Public Key Infrastructure within the DoD. Specifically, we evaluated the DoD\noversight of Public Key Infrastructure, coordination of Public Key Infrastructure\nmissions and pilot programs among the Services and DoD agencies, and compliance\nwith the Clinger-Cohen Act. We did not review the management control program\nrelating to the overall objective because DoD designated information assurance as a\nsystemic management control weakness in the FY 2000 Annual Statement of\nAssurance.\n\nResults. Although progress had been made in implementing Public Key Infrastructure,\nDoD had not managed the DoD Public Key Infrastructure Program as an enterprise-\nwide information technology investment. As a result, DoD will not be able to\nadequately assess cost, performance, and schedule risks to Public Key Infrastructure\nimplementation and use those assessments to determine whether the Public Key\nInfrastructure Program is cost-effectively meeting security requirements and user needs.\nSee the Finding section for details on the audit results.\n\x0cSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) develop and\nimplement oversight and management criteria for the Public Key Infrastructure\ninvestment. We also recommend that the Director, Public Key Infrastructure Program,\ndevelop an Information Technology Investment Management Plan for the DoD Public\nKey Infrastructure Program that addresses performance measures for the Public Key\nInfrastructure, a risk management plan, and DoD acquisition policy.\n\nManagement Comments. The Director, Information Assurance, provided a\nconsolidated response for the Office of the Assistant Secretary of Defense (Command,\nControl, Communications and Intelligence) and the Director, DoD Public Key\nInfrastructure Program Management Office. Both offices fully concurred with the\nreport finding and recommendations. Specifically, the Office of the Assistant Secretary\nof Defense (Command, Control, Communications and Intelligence) agreed to develop\nand implement oversight and management criteria for the DoD Public Key\nInfrastructure investment in accordance with DoD Directive 5000.1, \xe2\x80\x9cThe Defense\nAcquisition System.\xe2\x80\x9d The Director, DoD Public Key Infrastructure Program\nManagement Office, agreed to develop an information technology Investment\nManagement Plan for the Public Key Infrastructure Program that, at a minimum,\naddresses performance measures, a comprehensive risk management plan, and\napplication of DoD acquisition policy requirements. A discussion of the management\ncomments is in the Finding section of the report and the complete text is in the\nManagement Comments section.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                            i\n\n\nIntroduction\n     Background                                                              1\n     Objectives                                                              4\n\nFinding\n     Status of the Implementation of the DoD\n        Public Key Infrastructure Program                                    5\n\nAppendixes\n     A. Audit Process\n          Scope                                                             12\n          Methodology                                                       12\n          Management Control Program Review                                 12\n          Prior Coverage                                                    13\n     B. Public Key Encryption                                               14\n     C. Policy Memorandums Affecting the DoD Public Key\n          Infrastructure Program                                            15\n     D. Public Key Initiatives Initiatives That Are Not Controlled by the\n          Program Management Office                                         17\n     E. Report Distribution                                                 20\n\n\nManagement Comments\n     Office of the Assistant Secretary of Defense (Command, Control,\n          Communications, and Intelligence)                                 23\n\x0cIntroduction\n            Federal agencies, including DoD, are increasingly using the World Wide Web\n            and other Internet-based applications to provide on-line public access to\n            information and services as well as to improve internal business operations.\n            However, the potential for improvements in service delivery and productivity\n            because of electronic and Internet-based applications come with new security\n            risks and with the security risks already faced by existing systems.\n\n            To achieve information superiority1 in a highly interconnected, shared-risk\n            environment, DoD Information Assurance (IA) capabilities must address the\n            pervasiveness of information as a vital aspect of warfighting and business\n            operations. The Defense-in-Depth strategy is the technical strategy that\n            underlies DoD IA in which layers of defense are used to achieve security\n            objectives. That strategy recognizes the diversity of technologies, solutions,\n            adversaries, and vulnerabilities that pervade our information systems and\n            infrastructures. The strategy also recognizes that no single element can\n            independently provide adequate assurance and that layers of defense at varying\n            strengths and assurance levels can be deployed to provide multiple roadblocks\n            between sensitive information systems and those internal and external\n            adversaries who would try to exploit them. One element of the\n            Defense-in-Depth strategy is the use of a common, integrated, interoperable\n            Public Key Infrastructure (PKI) to enable security services at multiple levels of\n            assurance.\n\nBackground\n            Description of PKI. A PKI is a system of hardware, software, policies, and\n            people that, when fully and properly implemented, can provide a suite of\n            information security assurances that are important in protecting sensitive\n            communications and transactions. Specifically, PKI refers to the framework and\n            services that provide for generating, producing, distributing, controlling,\n            revoking, recovering, and tracking public key certificates2 and their\n            corresponding private keys. For PKI, key-pairs are generated by or for each\n            user. Each key-pair comprises two keys (very large numbers, typically 150 to\n            300 digits in length), which are mathematically linked in a very subtle way. For\n            each key-pair, one is kept private and the other is made public. See Appendix B\n            for a graphical example of how the key pairs for PKI can work.\n\n\n\n1\n    Information superiority is the capability to collect, process, and disseminate an uninterrupted flow of\n     information while exploiting or denying an adversary\xe2\x80\x99s ability to do the same.\n2\n    A certificate is a digital representation of information that binds the user\xe2\x80\x99s identification with the user\xe2\x80\x99s\n    public key in a trusted manner. At a minimum, this information (1) identifies the certification authority\n    issuing it, (2) names or identifies its user, (3) contains the user\xe2\x80\x99s public key, (4) identifies its operational\n    period, and (5) is digitally signed by the certification authority issuing it.\n                                                          1\n\x0c           Public Key technology is rapidly becoming the technology of choice to enable\n           security services within systems. These security services include:\n\n                   \xe2\x80\xa2    identification, which is a process that an information system uses to\n                        recognize an entity; and authentication, which is a security measure\n                        that is designed to establish the validity of a transmission, message,\n                        or originator or a means of verifying an individual\xe2\x80\x99s authorization to\n                        receive specific categories of information;\n\n                   \xe2\x80\xa2    data integrity, which means that data are unchanged from their\n                        source and have not been accidentally or maliciously modified,\n                        altered, or destroyed;\n\n                   \xe2\x80\xa2    confidentiality, which means that the information is not disclosed to\n                        unauthorized persons, processes, or devices; and\n\n                   \xe2\x80\xa2    non-repudiation, which is the assurance that the sender of the data is\n                        provided with proof of delivery and the recipient is provided with\n                        proof of the sender\xe2\x80\x99s identity, so that neither individual can later\n                        deny having sent or received the data.\n\n           DoD PKI Program. In April 1999, the Assistant Secretary of Defense\n           (Command, Control, Communication, and Intelligence) [ASD(C3I)], assigned\n           program management responsibility to the National Security Agency and\n           assigned deputy program management responsibility to the Defense Information\n           Systems Agency for the implementation of a PKI throughout DoD. In response,\n           the National Security Agency and Defense Information Systems Agency\n           established the DoD PKI Program Management Office (PMO) to ensure that the\n           DoD PKI supports validated and endorsed Public Key-Enabled (PKE) systems\n           and applications that meet the broad spectrum of DoD mission and business\n           needs. As lead agencies for the DoD PKI Program, the National Security\n           Agency and the Defense Information Systems Agency were responsible for\n           coordinating PKI activities within DoD by defining and providing general\n           implementation guidance. The PMO was responsible for identifying and\n           coordinating DoD PKI requirements and addressing interoperability,\n           compatibility, commonality, and standardization issues. In addition, the PMO\n           was responsible for the development and publication of a comprehensive PKI\n           architecture, for a PKI implementation and transition plan, and for resolution of\n           programmatic issues. The DoD plans to use an open standards approach3 based\n           on commercial products and services, while still maintaining appropriate levels\n           of security.\n\n\n\n\n3\n    The DoD PKI is based on the use of commercial standards to the maximum extent feasible. DoD will\n    ensure that its specifications are consistent with emerging commercial and National Institute of\n    Standards and Technology Federal standards and will track new and evolving Internet standards to\n    ensure that the most viable commercial standards are fully leveraged.\n                                                    2\n\x0c                  PKI Funding. As of October 2000, the DoD PKI budget for DoD was\n           about $712 million for FYs 2001 through 2005. The PMO oversees spending of\n           the $712 million, but each DoD Component manages its own portion of the\n           $712 million. Funding for the PMO was about $1.4 million. The table below\n           shows the allocation of PKI funding within DoD.\n\n                               DoD PKI FYs 2001-2005 Funding Allocation\n                                        as of October 16, 2000\n\n                                   Component                              Amount (millions)\n\n                    National Security Agency*                                   $134.00\n                    Defense Information Systems Agency*                           72.90\n                    Army                                                         140.20\n                    Navy                                                         107.20\n                    Air Force                                                    132.20\n                    Marine Corps                                                  56.63\n                    Defense Logistics Agency                                      25.00\n                    Others                                                        43.50\n                     Total                                                      $711.63\n\n                         *Amounts do not include the $1.4 million for the PMO.\n\n                   PKI Guidance. The Deputy Secretary of Defense and the ASD(C3I)\n           issued several policy memorandums, which affected the evolution of the DoD\n           PKI Program. See Appendix C for a chronology and discussion of the policy\n           memorandums relative to the DoD PKI Program. On August 12, 2000, the\n           ASD(C3I) issued policy memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Public\n           Key Infrastructure (PKI),\xe2\x80\x9d which updated DoD policies for the development and\n           implementation of a DoD-wide PKI and aligned PKI activities and milestones\n           with those of the DoD Common Access Card (CAC) Program. On\n           November 10, 1999, the Deputy Secretary of Defense issued policy\n           memorandum, \xe2\x80\x9cSmart Card Adoption and Implementation,\xe2\x80\x9d which directed the\n           implementation of standard DoD smart card technology as a DoD-wide CAC.\n           The Deputy Secretary also designated the CAC as the primary token4 platform\n           for PKI certificates and directed that the CAC also operate as the standard\n           identification card, building access card. The memorandum also mandated\n           using the Defense Enrollment Eligibility Reporting System (DEERS)5\n           infrastructure and the Real-time Automated Personnel Identification System\n           (RAPIDS)6 to issue and maintain the CAC. Additionally, the Deputy Secretary\n           of Defense authorized the DoD Chief Information Officer to modify the PKI\n           guidance to incorporate and accommodate use of the CAC.\n\n4\n    A token is a device (floppy disk, Common Access Card, or smart card) that is used to protect and\n    transport the private keys of a user.\n5\n    Defense Enrollment Eligibility Reporting System (DEERS) is a database, which contains status\n    information on Uniformed Services members, their families, and DoD civilians.\n6\n    Real-time Automated Personnel Identification System (RAPIDS) is an automated, ID Card System for\n    military, retired, and their families.\n                                                      3\n\x0c                  PKI Implementation. DoD had revised the schedule for PKI\n            implementation based on requirements of the PKI guidance. The current\n            implementation schedule is shown below.\n\n                                            Implementation Schedule\n\n                    Class 37 Registration Capability                                     December 2001\n                    All DoD Personnel Issued Class 3 Certificates                        October 2002\n                    All DoD Email Must be Digitally Signed\n                     with a Class 3 Certificate                                          October 2002\n                    Begin Issuing Class 4 Certificates                                   October 2002\n                    Protection of Unclassified Mission Critical\n                     Systems Must Migrate from Class 3 to Class 4                        December 2003\n\n\nObjectives\n            The overall objective was to evaluate the implementation and management of\n            PKI within the DoD. Specifically, we evaluated DoD oversight of PKI,\n            coordination of PKI missions and pilot programs among the Services and DoD\n            agencies, and compliance with the requirements of the Clinger-Cohen Act. We\n            did not review the management control program relating to the overall objective\n            because DoD designated information assurance as a systemic management\n            control weakness in the FY 2000 Annual Statement of Assurance. See\n            Appendix A for a discussion of the audit scope and methodology.\n\n\n\n\n7\n    The level of assurance of a public key certificate is the degree of confidence in the binding of the\n    identity to the public keys and privileges. DoD has identified the following assurance levels: Class 3 is\n    for applications handling medium value information in a low to medium risk environment; Class 4 is for\n    applications handling medium to high value information in a minimally protected environment.\n\n\n\n\n                                                       4\n\x0c           Status of the Implementation of the DoD\n           Public Key Infrastructure Program\n           Although progress had been made in implementing PKI within DoD, the\n           PKI PMO had not managed the DoD PKI Program as a DoD enterprise-\n           wide information technology (IT) investment. This condition occurred\n           because the PMO had not:\n\n                  \xe2\x80\xa2   developed a coordinated DoD-wide IT investment plan that\n                      identified performance measures and managed risks that could\n                      affect PKI implementation;\n\n                  \xe2\x80\xa2   considered the PKI Program to be subject to DoD acquisition\n                      policy, which requires a process to document and collectively\n                      manage cost, performance, and schedule parameters for a\n                      program investment; and\n\n                  \xe2\x80\xa2   complied with the DoD implementation of the Clinger-Cohen\n                      Act (CCA) for managing IT investments.\n\n           Additionally, the DoD Chief Information Officer (CIO) had not\n           developed or implemented oversight and management criteria for\n           evaluating the PKI Program because it was designated only as a special\n           interest initiative program. As a result, DoD will not be able to\n           adequately assess cost, performance, and schedule risks to PKI\n           implementation and use those assessments to determine whether the PKI\n           Program is cost-effectively meeting security requirements and user\n           needs.\n\nProgress In Implementing the DoD PKI Program\n    The PMO took action and made progress in implementing the PKI Program.\n    Specifically, the PMO issued various management and operational documents,\n    established working groups, provided periodic status briefs, and identified\n    unfunded requirements.\n\n    Management and Operational Documents. The PMO ensures that the\n    management and planning documents provided for the PKI Program reflect\n    Federal PKI requirements. Those documents included the \xe2\x80\x9cPublic Key\n    Infrastructure Roadmap for Department of Defense,\xe2\x80\x9d (PKI Roadmap),\n    December 18, 2000; the \xe2\x80\x9cX.509 Certificate Policy for the United States\n    Department of Defense\xe2\x80\x9d (X.509 Certificate Policy), November 13, 2000; and\n    the \xe2\x80\x9cPublic Key Infrastructure Implementation Plan for the Department of\n    Defense\xe2\x80\x9d (PKI Implementation Plan), December 18, 2000, and are discussed\n    below.\n\n\n\n                                       5\n\x0c                    The PKI Roadmap. The PKI Roadmap established the overall plan for\n            the DoD PKI Program that outlined the strategy and timelines for the\n            availability of PKI capabilities. The PKI Roadmap also defined how the\n            DoD PKI would evolve into its final target architecture. The PMO reviewed\n            and updated the PKI Roadmap, as appropriate, to reflect changes in direction or\n            strategy.\n\n                    The X.509 Certificate Policy. The PMO issued the X.509 Certificate\n            Policy, which established the unified policy for creating and managing a\n            Certification Authority and its related components. The Certificate Policy also\n            defined how certificates will be created and managed and used with PKE\n            applications.\n\n                    The PKI Implementation Plan. The PKI Implementation provided for\n            the phased implementation of a DoD-wide PKI and helped to coordinate PKI\n            across the Services and among DoD activities. The PKI Implementation Plan\n            documents how to implement the PKI Program and establishes the foundation\n            for collecting information on the status of PKI.\n\n            Working Groups. The PMO established several working groups to address\n            major areas of the PKI Program. The PKI working groups included the\n            Certificate Policy Management Working Group, the Technical Working Group,\n            the Business Working Group, and the Tactical Working Group. The PMO\n            established the working groups to serve as focal points for DoD activities, to\n            present issues and concerns on the DoD PKI Program implementation, and to\n            resolve those issues and concerns.\n\n            Periodic Status Briefs. The PMO sponsored status reviews where the various\n            DoD Component PKI offices provided status updates on their PKI programs.\n            The PMO developed a report template to facilitate status reporting during the\n            reviews. The PMO used the template as a status-tracking tool to assess\n            time-based performance relating to the DoD PKI Implementation Plan. Results\n            were compared to a predetermined goal to measure progress. Additionally, the\n            PMO published a monthly PKI electronic letter that provided a source of\n            information for DoD Component PKI offices on PKI and PMO activities. The\n            PMO also provided quarterly PKI status reviews to the DoD CIO.\n\n            Unfunded Requirements. Through discussions with the PKI working groups,\n            the PMO identified several unfunded requirements for the DoD PKI Program\n            and briefed those requirements to the DoD CIO during periodic meetings. The\n            unfunded requirements included operating PKI in a tactical environment,\n            enabling applications to work with the PKI, security support for the Common\n            Access Card (CAC), and middleware8 development for CAC readers.\n\n\n\n\n8\n    Middleware is a layer of software between the network and applications that provides services, such as,\n    identification, authentication, authorization, directories, and security.\n\n                                                       6\n\x0cPMO Management of the DoD PKI Program\n    The PMO had not managed the DoD PKI program as a DoD enterprise-wide\n    IT investment, as advocated in the CCA. The PMO had not developed an IT\n    investment plan that identified performance measures for the DoD PKI Program\n    or adequately managed risks that could affect the PKI Program. Also, the PMO\n    had not followed the intent of DoD acquisition policy by developing a process to\n    document and manage cost, performance, and schedule parameters for PKI.\n    The development of an IT investment plan and compliance with the intent of\n    DoD acquisition policy and the CCA are discussed below.\n\n    IT Investment Management. The DoD developed an investment guide,\n    \xe2\x80\x9cDepartment of Defense Guide for Managing Information Technology (IT) as an\n    Investment and Measuring Performance (DoD IT Guide),\xe2\x80\x9d February 10, 1997,\n    which establishes an analytical framework for linking IT investment decisions to\n    strategic objectives, business plans, and organizational mission performance.\n    The DoD IT Guide recommends the use of a consistent set of objective,\n    outcome-oriented performance measures to ensure that the right things are being\n    measured and that problems are identified as early in the process as possible.\n    Because the DoD IT Guide links recommended IT investment policies to\n    requirements, such as the CCA and Government Performances and Result Act\n    requires, performance measures must be quantifiable, measurable, and\n    comparable against an established baseline. The PMO used time-based\n    performance measures to determine the progress that DoD Components were\n    making in their respective PKI programs. However, those measures did not\n    assess operational performance for the overall DoD PKI Program. Although\n    DoD will issue Class 3 certificates to more than 3.5 million DoD military,\n    civilian, and contractor employees, the PMO had not established operational\n    performance measures, such as number of registration authorities required to\n    issue certificates versus number of registration authorities available to issue\n    certificates. Consequently, DoD will be unable to effectively assess whether the\n    PKI Program is meeting user needs.\n\n    Risk Management Plan. When managing an IT Investment, the DoD IT Guide\n    requires that risk assessments be performed to expose potential technical and\n    managerial weaknesses. Specifically, risks must be assessed using a well-\n    defined, documented process, or a risk management plan, to monitor, manage,\n    and mitigate associated risks. The PMO identified and documented risks\n    associated with the implementation of the PKI Program in the PKI Roadmap for\n    DoD but did not identify the associated cost, performance, or schedule\n    parameters and risks for the overall PKI Program. Further, the PMO had not\n    developed a plan of action that included alternative solutions to mitigate the risks\n    associated with PKI initiatives that are not controlled by the PMO. The cost,\n    performance, and schedule of initiatives that are not controlled by the PMO\n    would affect the implementation of the PKI Program. See Appendix D for a\n    discussion on the PKI initiatives that are not controlled by the PMO.\n\n    Compliance with DoD Acquisition Requirements. DoD Instruction 5000.1,\n    \xe2\x80\x9cThe Defense Acquisition System,\xe2\x80\x9d October 23, 2000, exists to secure and\n                                         7\n\x0csustain the nation\xe2\x80\x99s investments in the technologies, programs, and products\nnecessary to achieve the National Security Strategy and to support the Armed\nForces. The primary objective of Defense acquisition is to acquire quality\nproducts that meet user needs and provide measurable improvements to mission\naccomplishment and operational support, in a timely manner, and at a fair and\nreasonable price. Consequently, decision-makers and program managers are\nrequired to tailor acquisition strategies that:\n\n       \xe2\x80\xa2   are consistent with common sense;\n\n       \xe2\x80\xa2   conform to sound business management practices,\n\n       \xe2\x80\xa2   comply with applicable laws, defense policies and regulations; and\n       \xe2\x80\xa2   address the time-sensitive nature of the user\xe2\x80\x99s requirements to fit the\n           particular program.\n\nAs of August 2001, the PMO had not documented compliance with the intent of\nDoD acquisition policy. DoD considers IT investments, such as the PKI\nProgram, to be special interest initiatives that are not subject to normal DoD\nacquisition policy requirements. However, sound business practices and an\ninvestment of $712 million for the PKI Program dictate a need for a process to\nassess progress towards established goals, especially for cost, performance, and\nschedule. Establishing parameters that define minimum acceptable value and\nmaximum allowable value would allow DoD to evaluate investments, such as\nthe PKI Program.\n\nCompliance With the Clinger-Cohen Act (CCA). The CCA, which is\naddressed in the DoD IT Guide, provides statutory requirements for managing\nIT investments within the Federal Government. The CCA requires agencies to\ndesign and implement a process to maximize the value and assess and manage\nthe risks of IT acquisitions. Further, the CCA requires agencies to devise a\nprocess to obtain timely information on the progress of an investment in an\ninformation system, including milestones for measuring that progress, on an\nindependently verifiable basis, in terms of cost, capability of meeting specified\nrequirements, timeliness, and quality.\n\nAs of August 2001, the PMO had not documented the compliance of the PKI\nProgram with the DoD implementation of the CCA. Specifically, the PMO, in\nconjunction with the office of the DoD CIO, had not:\n\n       \xe2\x80\xa2   Designed a process for maximizing the value and managing the risk\n           of PKI;\n\n       \xe2\x80\xa2   Prescribed performance measures that will show how well the PKI\n           capability will support agency programs and mission requirements;\n           and\n\n\n\n\n                                     8\n\x0c           \xe2\x80\xa2   Provided the means for external management to obtain timely\n               information regarding PKI progress that included a system of\n               milestones for measuring progress on a independently verifiable basis\n               in terms of cost, timeliness, quality, and capabilities versus\n               requirements.\n\nChief Information Officer Oversight and Management\n  for the DoD PKI Program\n    Congress enacted reform legislation to improve the methods by which Federal\n    agencies select and manage IT resources. Those IT investments must provide\n    measurable improvements in mission performance. To comply with\n    congressional requirements, the Secretary of Defense delegated responsibility to\n    the DoD CIO to provide oversight and management for all DoD IT investments.\n\n    As of August 2001, the office of the DoD CIO had not provided oversight or\n    advised the PKI PMO on acquisition requirements for the PKI Program, which\n    was designated as a special interest initiative. The Deputy CIO memorandum,\n    \xe2\x80\x9cDesignation of Major Automated Information System Acquisition Programs/\n    Special Interest Initiatives and Related Oversight Requirements,\xe2\x80\x9d May 5, 1999,\n    provided general guidance for programs designated as special interest initiatives.\n    Specifically, the memorandum required CIO personnel to:\n\n           \xe2\x80\xa2   incorporate into regulatory guidance and oversight processes those\n               requirements included in the CCA for IT investments; and to\n\n           \xe2\x80\xa2   tailor management, oversight, and quarterly reporting requirements\n               to ensure that warfighter requirements are met.\n\n    However, CIO personnel did not follow that guidance and did not establish or\n    tailor management, oversight, or reporting requirements for the PKI Program,\n    as specified by the May 1999 memorandum. Specifically, DoD CIO oversight\n    officials did not require the PMO to:\n\n           \xe2\x80\xa2   submit an acquisition strategy for review and approval;\n\n           \xe2\x80\xa2   coordinate and obtain consensus on acquisition requirements that\n               added value to the PKI Program, especially for cost, performance,\n               and schedule; and\n\n           \xe2\x80\xa2   develop or submit acquisition milestone exit criteria, such as an\n               information assurance strategy, analysis of alternative, or economic\n               analysis.\n\n    On March 30, 2001, the CIO updated the May 5, 1999, memorandum to\n    identify those DoD information systems designated as major automated\n    information systems subject to the requirements outlined in the Defense\n    Acquisition System guidance. However, the March 2001 memorandum did not\n    address oversight requirements for special interest initiatives. Instead, the\n                                        9\n\x0c    March 2001 memorandum stated that the CIO would issue separate guidance on\n    major IT investments subject to CIO management oversight by the end of\n    FY 2001. The memorandum also stated that the CIO would continue to oversee\n    special interest initiatives that were under active oversight, where the CIO office\n    reviewed acquisition documents, exit criteria, or evaluated the progress of the\n    program. However, because the PKI Program was not under active acquisition\n    oversight, the CIO did not have an effective means to minimize the risk for the\n    DoD-wide IT investment or to ensure its compliance with defense acquisition\n    and CCA requirements. The CIO must oversee the performance of IT\n    programs, including the PKI Program, to evaluate the performance of those\n    programs on the basis of the applicable performance measurements, and advise\n    DoD management on whether to continue, modify, or terminate a program or\n    project.\n\n\n\nConclusion\n    The DoD PKI Program is an evolving program, which is dependent upon\n    technological advancements and commercial products. Coordinated\n    management and oversight are essential to the successful implementation of this\n    DoD-wide investment. Although the PMO addressed the changing requirements\n    of the PKI Program, additional challenges remain. The PMO needs to address\n    cost, performance, and schedule parameters of and risks to PKI implementation\n    and develop a plan of action that includes solutions to mitigate risks associated\n    with PKI initiatives that are not controlled by the PMO. Otherwise, DoD will\n    not be able to adequately assess cost, performance, and schedule risks to PKI\n    Program implementation and use those assessments to determine whether the\n    PKI Program is cost-effectively meeting security requirements and user needs.\n\n\n\nRecommendations and Management Comments\n    1. We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) develop and implement\n    oversight and management criteria for the DoD Public Key Infrastructure\n    investment in accordance with DoD Directive 5000.1, \xe2\x80\x9cThe Defense\n    Acquisition System.\xe2\x80\x9d\n\n    2. We recommend that the Director, DoD Public Key Infrastructure\n    Program Management Office, review the \xe2\x80\x9cDepartment of Defense Guide for\n    Managing Information Technology as an Investment and Measuring\n\n\n\n\n                                        10\n\x0c    Performance,\xe2\x80\x9d February 10, 1997, and develop an Information Technology\n    Investment Management Plan for the DoD Public Key Infrastructure that\n    addresses, at a minimum:\n\n       a. Performance measures that show how the Public Key Infrastructure\n    capability will support agency programs and mission requirements;\n\n       b. A risk management plan that identifies cost, performance, and\n    schedule parameters and risks for the overall Public Key Infrastructure\n    Program; and provides alternative solutions to mitigate risks associated with\n    Public Key initiatives that are not controlled by the Program Management\n    Office; and\n\n       c. Application of DoD acquisition policy requirements to the DoD Public\n    Key Infrastructure Program, to include cost, performance, and schedule\n    parameters.\n\n\nManagement Comments\n     The Director, Information Assurance, provided a consolidated response for the\n     Office of the Assistant Secretary of Defense (Command, Control,\n     Communications and Intelligence) and the Director, DoD Public Key\n     Infrastructure Program Management Office. Both offices fully concurred with\n     the report finding and recommendations.\n\n    The Office of the Assistant Secretary of Defense (Command, Control,\n    Communications and Intelligence) also stated that a recommendation was made\n    to designate the Public Key Infrastructure Program as a Major Automated\n    Information System on November 7, 2001, with the Assistant Secretary of\n    Defense (Command, Control, Communications and Intelligence) as the\n    Milestone Decision Authority. Also, the acquisition process will be tailored, to\n    the extent feasible, to take into account program maturity to enable speed and\n    flexibility in program implementation.\n\n\n\n\n                                       11\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We reviewed and evaluated guidance for the DoD PKI\n    Program contained in policy memorandums, \xe2\x80\x9cDoD Public Key Infrastructure,\xe2\x80\x9d\n    May 6, 1999 (canceled) and August 12, 2000; \xe2\x80\x9cSmart Card Adoption and\n    Implementation,\xe2\x80\x9d November 10, 1999; and \xe2\x80\x9cPKI Operating Documents,\xe2\x80\x9d\n    December 13, 1999. We also reviewed requirements for the CCA and DoD\n    acquisition policy.\n\n    We visited the DoD PKI Program Management Office to evaluate the\n    management and implementation of the PKI program within DoD. We also\n    visited the Services\xe2\x80\x99 PKI program management offices to gain an understanding\n    of the component-level and associated PKI beta tests to assess the status,\n    progress, and implementation of the PKI programs.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    lists information assurance as a high-risk area.\n\n\n\nMethodology\n    Audit Type, Dates, and Standards. We performed this economy and\n    efficiency audit from October 2000 through August 2001 in accordance with\n    generally accepted government auditing standards. We did not use computer-\n    processed data for this audit.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n\n\nManagement Control Program Review\n    We did not review the management control program related to the overall\n    objective because DoD designated information assurance as a systemic\n    management control weakness in the FY 2000 Annual Statement of Assurance.\n\n\n\n\n                                      12\n\x0cPrior Coverage\n    The General Accounting Office and the Inspector General, DoD, have\n    conducted multiple reviews related to information assurance issues.\n    General Accounting Office reports can be accessed over the Internet at\n    http://www.gao.gov. Inspector General, DoD, reports can be accessed at\n    http://www.dodig.osd.mil.\n\n\n    General Accounting Office\n    General Accounting Office Report No. 01-277, \xe2\x80\x9cInformation Security:\n    Advances and Remaining Challenges to Adoption of Public Key Infrastructure\n    Technology,\xe2\x80\x9d February 2001\n\n    General Accounting Office Report No. NSIAD-00-108, \xe2\x80\x9cDefense Management:\n    Electronic Commerce Implementation Strategy Can Be Improved,\xe2\x80\x9d July 2000\n\n\n\n\n                                     13\n\x0cAppendix B. Public Key Encryption\n\n\n\n                      Plain Text                                   Ciphertext\n                      Message                                      Message\n\n\n\n\n   Person A                          Person B\xe2\x80\x99s Public Key\n\n\n\n\n  Ciphertext                                   Plain Text\n  Message                                      Message\n\n\n\n\n                 Person B\xe2\x80\x99s Private Key                             Person B\n\n\n\n\nPerson A writes a plain text message and encrypts it using person B\xe2\x80\x99s public key.\nThen Person A transmits the cipher text message to Person B. Person B decrypts the\ncipher text message using the private key. The figure represents an example of how\nthe key pairs can work.\n\n\n\n\n                                       14\n\x0cAppendix C. Policy Memorandums Affecting the\n            DoD Public Key Infrastructure\n            Program\n   May 6, 1999, Policy Memorandum. In Deputy Secretary of Defense policy\n   memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Public Key Infrastructure\n   (PKI),\xe2\x80\x9d May 6, 1999, (superceded by policy memorandum, August 12, 2000),\n   the Deputy Secretary directed that DoD take an aggressive approach in\n   acquiring and using a PKI that met requirements for all IA services. The policy\n   memorandum provided initial guidance, policy, and milestones for a common,\n   integrated DoD PKI. The Deputy Secretary also encouraged the widespread use\n   of PKE applications and provided the following specific guidelines for applying\n   PKI services:\n\n          \xe2\x80\xa2   selecting appropriate PKI certificate assurance levels\n\n          \xe2\x80\xa2   deploying PKI registration capability for FORTEZZA-based PKI\n              (near-term solution for Class 4) and the Class 3 (formerly Medium\n              Assurance) PKI\n\n          \xe2\x80\xa2   evolving certificates from Class 3 to Class 4 (now Release 3 and\n              Release 4)\n\n          \xe2\x80\xa2   issuing identity and encryption certificates\n\n          \xe2\x80\xa2   establishing external certificate authorities\n\n          \xe2\x80\xa2   establishing milestones for PKI for web servers and signed email\n\n   November 10, 1999, Policy Memorandum. In Deputy Secretary of Defense\n   policy memorandum, \xe2\x80\x9cSmart Card Adoption and Implementation,\xe2\x80\x9d\n   November 10, 1999, the Deputy Secretary directed the use smart card\n   technology and the CAC using the DEERS/RAPIDS infrastructure. In addition,\n   the Deputy Secretary authorized that PKI guidance be modified to incorporate\n   and accommodate the use of the CAC. The Deputy Secretary also directed that\n   the CAC be used as a standard DoD identification card, building access card,\n   and PKI certificate token carrier. Further, the Deputy Secretary directed that\n   the CAC be issued to all active duty military personnel, selected Reserve\n   personnel, DoD civilian employees, and eligible contractor personnel. The\n   Deputy Secretary required an initial implementation of the CAC by\n   December 30, 2000.\n\n   December 13, 1999, Policy Memorandum. In ASD(C3I) policy memorandum,\n   \xe2\x80\x9cPublic Key Infrastructure (PKI) Operating Documents,\xe2\x80\x9d December 13, 1999,\n   the ASD(C3I) required the DoD PKI PMO to update the operating guidance,\n   specifically, the DoD PKI Roadmap and the DoD X.509 Certificate Policy, to\n\n\n                                        15\n\x0creflect changes in program direction or strategy. The ASD(C3I) also required\nthe PMO to coordinate the Roadmap with final decisions concerning the CAC\nand the Global Information Grid programs.\n\nAugust 12, 2000, Policy Memorandum. In ASD(C3I) policy memorandum,\n\xe2\x80\x9cDepartment of Defense (DoD) Public Key Infrastructure (PKI),\xe2\x80\x9d August 12,\n2000, (canceled policy memorandum dated May 6, 1999), the ASD(C3I) updated\nthe DoD guidelines and policies for the development and implementation of a\nDoD-wide PKI and aligned PKI activities and milestones with the CAC. The\nASD(C3I) also:\n\n       \xe2\x80\xa2   mandated CAC as the primary token platform for PKI certificates;\n\n       \xe2\x80\xa2   revised requirements for registration capability to December 2001;\n\n       \xe2\x80\xa2   designated DEERS/RAPIDS as the primary registration platform and\n           required the integration of DEERS/RAPIDS with the PKI capability;\n\n       \xe2\x80\xa2   required DEERS/RAPIDS initial operational capability by December\n           2000; and\n\n       \xe2\x80\xa2   required issuance of Class 3 certificates to DoD users by\n           October 2002.\n\nEvolution of the DoD PKI Program Based on Policy Memorandums. Based\non the May 6, 1999, policy memorandum, the Deputy Secretary of Defense\ndirected DoD to deploy registration capability based on two PKI levels:\n\n       \xe2\x80\xa2   the FORTEZZA-based PKI (for high-level assurance) and\n\n       \xe2\x80\xa2   the Class 3 PKI (for medium level assurance).\n\nBoth infrastructures will use software-based tokens to protect and transport\nprivate keys. Moreover, every DoD organization was required to have the\ncapability to issue Class 3 certificates by October 2000, and required the\nissuance of Class 3 certificates to all DoD users by October 2001.\n\nBased on the November 10, 1999, policy memorandum, the Deputy Secretary of\nDefense designated the CAC as the token for PKI because smart cards were\nalready being used in various operational and business applications as an\nauthentication token for certificates and as a private key for digital signature and\naccess authentication. Consequently, the memorandum changed the requirement\nto protect and transport private keys from a software-based token to a hardware-\nbased token, the CAC. In addition, the Deputy Secretary required an initial\nimplementation of the CAC by December 30, 2000.\n\nThe August 12, 2000, policy memorandum extended the date for DoD\nComponent registration capability from October 2000 to December 2001. Also,\nthe date for issuance of Class 3 certificates for DoD users was changed from\nOctober 2001 to October 2002.\n\n                                    16\n\x0cAppendix D. Public Key Infrastructure\n            Initiatives That Are Not Controlled\n            by the Program Management Office\n   Registration Platform for PKI. Deputy Secretary of Defense policy\n   memorandum, \xe2\x80\x9cSmart Card Adoption and Implementation,\xe2\x80\x9d November 10,\n   1999, directed the use of smart card technology, the CAC, and the\n   DEERS/RAPIDS infrastructure for the PKI Program. Based on the\n   memorandum, ASD(C3I) designated the DEERS/RAPIDS as the primary\n   registration platform to issue PKI certificates for Class 3 and, subsequently,\n   Class 4 certificates, on the CAC. Additionally, the ASD(C3I) required that all\n   users have Class 3 certificates by October 2002. To support the CAC\n   registration requirements, the Defense Manpower Data Center, which is the\n   system owner, began security and technical upgrades of DEERS/RAPIDS\n   workstations. As of June 2001, the DEERS/RAPIDS upgrades were behind\n   schedule, potentially delaying the proposed rollout milestone date and the\n   initiation of CAC issuance. Based on discussions with Service PKI offices, the\n   milestone slippage threatens their ability to meet the October 2002 deadline to\n   issue Class 3 certificates on the CAC. However, a plan of action providing\n   alternatives, such as issuing software tokens until the registration workstations\n   are ready or issuing tokens based on validated need, could provide temporary\n   solutions for DoD if DEERS/RAPIDS is not ready.\n\n   Public Key-Enabled (PKE) Applications Progress. For the PKI to operate,\n   DoD has to prepare, or enable, applications to work with the infrastructure.\n   Otherwise, DoD could have an expensive infrastructure that has no practical\n   use. A PKE application can accept or process certificates to support functions,\n   such as a digital signatures or data encryption, that provide security services.\n   The PKE applications work with the PKI to access public key certificates,\n   revocation information, and general information in public directories or\n   repositories. DoD Components are responsible for paying costs associated with\n   enabling applications for PKI because the PKE costs are not included in the\n   $712 million budgeted for PKI. Although the PMO is not responsible for\n   enabling applications, the PMO is developing the tools and capabilities that will\n   be used to support the enabling of applications. A plan of action that addressed\n   PKE application issues and shared lessons learned on applications could help\n   DoD Components understand PKI policies, use, and interfaces and could help\n   minimize interoperability problems that could result from enabling applications.\n\n   Middleware and Card Reader Requirements. The DoD PKI will use card\n   readers to download information from hardware tokens (the CACs).\n   Middleware enables the readers and the tokens to communicate with the\n   computer software. The Smart Card Senior Coordination Group developed\n   technical specifications for middleware and card readers, and a number of\n   vendors have met those specifications. Because DoD Components will be\n   responsible for purchasing their own card readers and middleware, it is unlikely\n\n                                       17\n\x0cthat all Components would purchase the same type of card reader.\nConsequently, the use of different card readers could result in incompatibility\namong the multiple card reader systems. Additionally, different operating\nsystems require different middleware, further increasing the chance of\nincompatibility. The PMO realized that complete compatibility between all card\nreaders and middleware within the DoD would not be possible. However, the\nPMO had not devised a plan for minimizing incompatibility and maximizing use\nof middleware and card readers among DoD Components, such as evaluating\nreaders and developing a list of vendors that provide compatible card readers.\n\nDirectories. Directories are used as a repository for the distribution of the\ncertificates and certificate revocation lists. Specifically, directories will be used\nto identify and authenticate certificates of users and entities. The Defense\nInformation Systems Agency will establish the Global Directory Services to\nmeet this requirement. Although the directories were scheduled to be fully\noperational by December 2004, the PKI PMO office will work with the Defense\nInformation Systems Agency to activate the PKI function of the directories\nearlier than that date. However, the control of the directories is external to the\nPMO and must be considered as an increased external risk that could affect the\nsuccessful implementation of the DoD PKI Program. Because of the increased\nrisk, the PMO may need to identify an alternate plan of action to identify and\nauthenticate certificates if the directory function is not available prior to PKI\nimplementation.\n\nCommon Access Card Security Requirements. The X.509 Certificate Policy,\nDecember 13, 1999, identified the technical specifications and security\ncapabilities necessary for the hardware token for the CAC. The National\nInstitute of Standards and Technology published a list of compliant\ncryptographic modules that met the minimum requirements defined in the\nCertificate Policy. Both the DoD Certificate Policy and the National Institute of\nStandards and Technology identified vendors that produced compliant\ncryptographic modules; however, the Navy selected a CAC that did not meet the\nestablished technical and security requirements of the Certificate Policy and\nNational Institute of Standards and Technology. According to the PKI PMO,\nthe Navy chose the CAC because the functions that DoD Components required\nwere not available with the other CACs. Although the PMO stated that the\nCAC should be compliant by July 2001, the PMO had not developed a plan\nshowing an alternate course of action if the CAC did not meet security\nrequirements within the planned milestone.\n\nKey Recovery Policies and Procedures. The PKI concept proposed the use of\nencryption certificates to enable the user to encrypt and decrypt e-mail messages\nand files. The public key of the certificate will be used to encrypt the data and\nthe private key will be used to decrypt the data (or vice versa). If the private\nkey is unattainable due to loss, termination, or theft, the encrypted data cannot\nbe decrypted, which could lead to information loss. To mitigate information\nloss, DoD needs a comprehensive key recovery policy that addresses the threat,\nrisk, and vulnerabilities of private key loss. The policy should also provide\n\n\n\n                                     18\n\x0c           technical solutions for recovery of DoD encrypted information, or an alternate\n           plan of action that addresses information loss because of loss, theft, or\n           unavailability of keys.\n\n           Unfunded Requirements. The PMO had not developed a plan to address DoD\n           PKI Program requirements that could affect the successful implementation of the\n           PKI program. Specifically, the DoD Components identified requirements that\n           were not included in their budgets for FYs 2002-2005 but the requirements were\n           needed for the PKI. Unfunded requirements included:\n\n                   \xe2\x80\xa2   Two levels of assurance operating concurrently (Class 3 and\n                       Class 4)\xe2\x88\x97. Although Class 4 will replace Class 3, DoD will have an\n                       overlap of Class 3 and Class 4 with the associated costs.\n\n                   \xe2\x80\xa2   PKE applications. Although PKE applications are required for PKI,\n                       DoD Components must enable applications at their own cost. The\n                       amount budgeted for PKI is for infrastructure only.\n\n                   \xe2\x80\xa2   Security support for the CAC. Although the CAC is the designated\n                       token for certificates for DoD, costs for security support\n                       requirements associated with the CAC have not been funded.\n\n                   \xe2\x80\xa2   Middleware. The middleware and card readers are needed to work\n                       with the CAC. DoD Components must pay for their own\n                       middleware and card readers.\n\n                   \xe2\x80\xa2   PKI operation in a tactical environment. To support the warfighter,\n                       PKI must be portable. Costs associated with a portable PKI have not\n                       been funded.\n\n           The PMO briefed the unfunded requirements to the DoD CIO. However, a plan\n           of action identifying the costs of the unfunded requirements, showing the overall\n           effect that the funding shortfalls could have on the DoD PKI Program, and\n           suggesting alternate solutions to address the funding shortfalls is needed for the\n           PKI Program.\n\n\n\n\n\xe2\x88\x97\n    Upon the completion of testing, Class 3 and Class 4 will be renamed Release 3 and Release 4. For\n    purposes of this report, we are using their current naming conventions.\n\n                                                    19\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller/Chief Financial Officer)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n  Director, Program Analysis and Evaluation\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense, Deputy Chief Information Officer\n  Deputy Assistant Secretary of Defense, Security and Information Operations\n      Director, Infrastructure and Information Assurance\n         Director, Defense-Wide Information Assurance Program\n         Director, Public Key Infrastructure Program Management Office\n\nJoint Staff\nDirector, Joint Staff\n  Chief Information Officer, Joint Staff\n\nDepartment of the Army\nDirector of Information Systems for Command, Control, Communications and\n  Computers\nChief Information Officer, Department of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nDirector, Space, Information Warfare, Command and Control\nDirector, Command, Control, Communications, and Computers, Marine Corps\n   Director, Marine Corps Network Operations Center\nCommander, Marine Corps Systems Command\nChief Information Officer, Department of the Navy\nAuditor General, Department of the Navy\nNaval Inspector General\nInspector General, Marine Corps\n\n\n\n\n                                           20\n\x0cDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nDeputy Chief of Staff, Communications and Information\nCommander, Air Force Materiel Command\n  Commander, Cryptologic Systems Group, Electronic Systems Center\nChief Information Officer, Department of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Information Systems Agency\n  Chief Information Officer, Defense Information Systems Agency\nDirector, National Security Agency\n  Inspector General, National Security Agency\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\n  Office of Information and Regulatory Affairs\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         21\n\x0c\x0cOffice of the Assistant Secretary of Defense\n(Command, Control, Communications, and\nIntelligence) Comments\n\n\n\n\n                   23\n\x0cFinal Report\n Reference\n\n\n\n\n               24\n\x0cAudit Team Members\n\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\n\nMary L. Ugone\nWanda A. Scott\nDianna J. Pearson\nDonna Roberts\nRichard B. Vasquez\nCristina Maria H. Giusti\nTimothy A. Cole\nJamal E. Hall\nPamela Newkirk\nJacqueline Pugh\n\x0c'